1 00:00:00,006 --> 00:00:02,007 - [Narrator] Security roles and responsibilities 2 00:00:02,007 --> 00:00:05,002 may differ between organizations, 3 00:00:05,002 --> 00:00:07,003 but there are several common themes 4 00:00:07,003 --> 00:00:10,005 that exist across almost all businesses. 5 00:00:10,005 --> 00:00:12,008 The senior information security leader 6 00:00:12,008 --> 00:00:15,002 in an organization is commonly known 7 00:00:15,002 --> 00:00:19,006 as the chief information security officer, or CISO. 8 00:00:19,006 --> 00:00:23,002 This title is also sometimes pronounced CISO. 9 00:00:23,002 --> 00:00:26,004 In some organizations, the CISO may have a different title, 10 00:00:26,004 --> 00:00:28,008 such as director of information security 11 00:00:28,008 --> 00:00:31,001 or chief security officer. 12 00:00:31,001 --> 00:00:33,003 Another difference between organizations 13 00:00:33,003 --> 00:00:36,002 lies in where the CISO reports. 14 00:00:36,002 --> 00:00:38,004 In some cases, the CISO reports 15 00:00:38,004 --> 00:00:41,002 to the chief information officer, the CIO, 16 00:00:41,002 --> 00:00:44,003 an organization's most senior IT leader. 17 00:00:44,003 --> 00:00:46,005 In other cases the CISO reports 18 00:00:46,005 --> 00:00:49,001 to a risk management or audit function, 19 00:00:49,001 --> 00:00:51,000 providing a degree of separation 20 00:00:51,000 --> 00:00:53,007 between individual responsible for IT 21 00:00:53,007 --> 00:00:56,004 and the individual responsible for ensuring 22 00:00:56,004 --> 00:00:59,007 that IT has effective security controls. 23 00:00:59,007 --> 00:01:01,007 The CISO normally leads a team 24 00:01:01,007 --> 00:01:04,004 of information security professionals. 25 00:01:04,004 --> 00:01:06,001 The size of that team will vary 26 00:01:06,001 --> 00:01:08,007 depending upon the size of the organization, 27 00:01:08,007 --> 00:01:10,002 the nature of the business, 28 00:01:10,002 --> 00:01:12,007 and the specific responsibilities assigned 29 00:01:12,007 --> 00:01:14,007 to information security as opposed 30 00:01:14,007 --> 00:01:16,009 to other technology units. 31 00:01:16,009 --> 00:01:19,002 This may include security generalists 32 00:01:19,002 --> 00:01:21,002 with a broad background across 33 00:01:21,002 --> 00:01:23,008 all the domains of information security, 34 00:01:23,008 --> 00:01:27,000 and/or specialists who focus on particular areas, 35 00:01:27,000 --> 00:01:30,003 such as instant response, network security, 36 00:01:30,003 --> 00:01:32,005 and security awareness. 37 00:01:32,005 --> 00:01:34,009 All of the members of an information security team 38 00:01:34,009 --> 00:01:39,004 must follow important guiding principles for their role. 39 00:01:39,004 --> 00:01:43,000 One of these is the principle of due care. 40 00:01:43,000 --> 00:01:45,004 Due care says that security professionals 41 00:01:45,004 --> 00:01:49,000 must fulfill the legal responsibilities of the organization 42 00:01:49,000 --> 00:01:51,002 as well as the professional standards 43 00:01:51,002 --> 00:01:53,001 of information security. 44 00:01:53,001 --> 00:01:55,004 They must exercise the reasonable level 45 00:01:55,004 --> 00:01:57,001 of care that would be expected 46 00:01:57,001 --> 00:02:00,007 of any security professional in their situation. 47 00:02:00,007 --> 00:02:03,009 The second principle is that of due diligence, 48 00:02:03,009 --> 00:02:05,008 which says that security professionals 49 00:02:05,008 --> 00:02:07,007 should take reasonable measures 50 00:02:07,007 --> 00:02:11,004 to investigate the risks associated with the situation. 51 00:02:11,004 --> 00:02:14,003 For example, if the organization is considering 52 00:02:14,003 --> 00:02:15,008 implementing a major new 53 00:02:15,008 --> 00:02:18,005 customer relationship management system, 54 00:02:18,005 --> 00:02:21,004 security professionals should use due diligence 55 00:02:21,004 --> 00:02:23,003 and investigate the security controls 56 00:02:23,003 --> 00:02:25,008 available with that system to ensure 57 00:02:25,008 --> 00:02:28,005 that they meet the organization's security objectives.